Name

shorewall-init — Companion package

Synopsis

shorewall-init [start|stop]

Description

Shorewall-init is an optional package (added in Shorewall 4.4.10) that can be installed along with Shorewall, Shorewall6, Shorewall-lite and/or Shorewall6-lite. It provides two key features:

  1. It can close (stop) the firewall during boot prior to starting the network. This can prevent unwanted connections from being accepted after the network comes up but before the firewall is started.

  2. It can interface with your distribution's ifup/ifdown scripts and/or NetworkManager to allow firewall actions when an interface starts or stops.

These two capabilities can be enabled separately.

After you install the shorewall-init package, you can activate it by modifying the Shorewall-init configuration file:

  • On Debian-based system, the file is /etc/default/shorewall-init.

  • On other systems, the file is /etc/sysconfig/shorewall-init.

To activate the safe boot feature, edit the configuration file and set PRODUCTS to a space-separated list of Shorewall products that you want to be closed before networking starts.

Example:

PRODUCTS="shorewall shorewall6"

You also must insure that the compiled scripts for the listed products are compiled using Shorewall 4.4.10 or later.

Shorewall

shorewall compile

Shorewall6

shorewall6 compile

Shorewall-lite

On the administrative system, enter the command shorewall export firewall from the firewall's configuration directory.

Shorewall6-lite

On the administrative system, enter the command shorewall6 export firewall from the firewall's configuration directory.

The second feature (ifup/ifdown and NetworkManager integration) should only be activated on systems that do not use a link status monitor line swping or LSM.

  • Edit the configuration file and set IFUPDOWN=1

For NetworkManager integration, you will want to disable firewall startup at boot and delay it to when your interface comes up. For this to work correctly, you must set the required or the optional option on at least one interface then:

  • On Debian-based systems, edit /etc/default/product for each product listed in the PRODUCTS setting and set startup=0.

  • On other systems, use the distribution's service control tool (insserv, chkconfig, etc.) to disable startup of the products listed in the PRODUCTS setting.

On a laptop with both Ethernet and wireless interfaces, you will want to make both interfaces optional and set the REQUIRE_INTERFACE option to Yes in shorewall.conf (5) or shorewall6.conf (5). This causes the firewall to remain stopped until at least one of the interfaces comes up.

FILES

/etc/default/shorewall-init (Debian-based systems) or /etc/sysconfig/shorewall-init (other distributions)

See ALSO

shorewall(8)

Documentation


Frequently Used Articles

- FAQs - Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0/5.1/5.2 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Docker - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shared Shorewall/Shorewall6 Configuration - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page